| A vulnerability has been discovered in Nx (build system) Package, which could allow for sensitive data exfiltration. Nx is a smart, fast, and extensible build system designed for managing monorepos efficiently by providing features like dependency graph analysis, computation caching, distributed task execution, and codebase upgrades. Successful exploitation of this vulnerability could allow threat actors to perform network reconnaissance and leak sensitive data. |
| Threat Intelligence |
| According to StepSecurity: Threat Actors have successfully injected malicious code into the Nx build system package and several related plugins to collect host information, cryptocurrency wallets, and development credentials. |
| Systems Affected |
| nx/devkit 21.5.0, 20.9.0 nx/enterprise 3.2.0 nx/eslint 21.5.0 nx/js 21.5.0, 20.9.0 nx/key 3.2.0 nx/node 21.5.0, 20.9.0 nx/workspace 21.5.0, 20.9.0 |
| Risk |
| Government: – Large and medium government entities: High – Small government entities: Medium |
| Businesses: – Large and medium business entities: High – Small business entities: Medium |
| Home Users: Low |
| Recommendations |
| Review Stepsecurity.io immediate remediation steps. Apply appropriate updates provided by Nx or other vendors which use this software to vulnerable systems immediately after appropriate testing. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. |
| Reference |